The way Paypal does two factor authentication is extremely poor.
We had ours compromised a couple years ago, not via the Paypal or Ebay sites, but through email.
Using the email, the email password was changed, then the paypal password, all via the "I forgot my password" link.
Then they sent two payments to some foreign country.
We changed everything back, contacted the bank, which said they had to let the fraudulent charges go through before they could cancel them??
Filed complaints with Paypal first, and in less than 12 hours they denied them saying that me sending $400 to zimbabawe or wherever and twice in the same day was "normal activity"
So passwords changed, email tied to the account changed, 2FA set up. None of it done from the computer as we suspected a keylogger that the anti malware/virus software didn't catch (and still hasn't so I haven't been able to trust the computer for 2 years... )
A month later, the same thing. But a bit slicker.
Oh yeah. Paypal sends a text asking if the payment is legit. At 4 AM. And if you don't respond they assume the payment is ok and send it through anyway. Making their 2FA worthless.
This time they covered their tracks a bit better by deleting the payment confirmation email from the server so I never received it.